The five main aspects of poor Internet security

According to the analytical report of Marketsandmarkets.com, the security market for the Internet of Things will reach $ 37 billion by 2021 . Where cyber security chaos grows, big money is spent there to ensure this security.

In early 2017, experts predicted that the gaps gaping in IoT would lead to the destruction of critical infrastructure , increased competitive intelligence and theft of intellectual property. It was also predicted that a multiple increase in DDoS attacks would paralyze the Dyn DNS system, and with it many important web domains.
')
Let's take a look at the five main aspects of the deplorable state of IoT security arising from explosive growth, scale, vulnerability, capacity and device availability.

First aspect

Today, at least 6 million new IoT devices are online every day, which means that new vulnerabilities are constantly emerging. For example, last year at DefCon, in 21 IoT devices of 21 manufacturers, 47 new vulnerabilities were discovered . Given that in a single device is usually several holes, then the situation is deplorable.

The vulnerability of IoT devices is due to several factors: lack of sufficient experience for manufacturers in ensuring reliable protection of their products; modest computing and disk capacities limiting the range of available security mechanisms; difficult software update procedures; lack of user attention to the threats provoked by IoT devices.

Second aspect

IoT devices are a very attractive, powerful, and ubiquitous environment for intruders. The growing number of easily cracked consumer devices increases the likelihood, frequency, and severity of attack scenarios, including attacks on corporate data, businesses, equipment, employees, and consumers.

It’s easy for an attacker to gain control over entire networks, starting with the compromise of one of the many vulnerable consumer IoT devices. A prime example is the popular NEST thermostat. In 2015, TrapX Security engineers connected to the miniUSB port of the thermostat and launched a man-in-the-middle (MITM) attack, during which the ARP address of the network gateway was launched using a special application. Hackers use MITM attacks to gain control over systems at one or both ends of communications, including corporate networks.

The described hole is just one of many examples of how seemingly innocent IoT devices can cause the compromise of entire networks and organizations, thefts, and possibly even possible disruption of current processes. By gaining control of the IoT network at home or in an organization, hackers can not only steal data, but endanger life, health and property.

Third aspect

IoT is the key to a huge array of personal user information that helps hackers in choosing targets and attack vectors. It becomes easier for them to find passwords used in key companies, government, military, political and public organizations.

User data is collected on the Internet of Things to help companies conduct targeted marketing by creating a digital representation of all user preferences and features. The attackers steal and combine data from different sources in order to reveal the interests and habits of people, so that you can find passwords and answers to secret questions. At the same time, people often use their usual passwords in corporate networks.

Fourth aspect

Increasing the availability of SCADA and the management of industrial systems through IoT makes widespread devastating attacks possible. When industrial IoT-based control systems are connected to the Internet, it becomes extremely difficult to protect the national infrastructure from attacks — utilities, power grids, and so on.

As an example of such a scenario, we can recall the recent attack on Ukrainian energy facilities, as a result of which tens of thousands of people were left without electricity. In this case, the object of the attack was the critical infrastructure management system, which led to its failure. And it was quite small in scale and consequences of the attack.

Fifth aspect

The widespread and mostly open IoT makes it possible today more than ever to conduct simultaneous “Fire Sale” attacks on any agency, service or enterprise, as shown in the film “Die Hard 4”. Thanks to the Internet of things, hackers can create and use so large botnets that the simultaneous jamming of multiple infrastructures with the help of DDoS attacks becomes almost a routine.

Imagine what happens if 10-15% of the devices of a certain country are used for a DDoS attack against the resources of one of the world's financial centers, for example, Wall Street.

According to Gartner's forecast , with 5.5 million IoT devices in 2016, by 2020 we will arrive at a total fleet of 20.8 billion devices operating daily. To secure this equipment, companies must first compare convenience and efficiency with risks, implement security policies and procedures designed for each type of device, and train staff to work properly with the Internet of Things. DS / IPS security technologies that take into account the behavioral factor must also guard the potentially harmful behavior of IoT devices.

When a company installs and uses consumer devices like the same NEST thermostat, it must also implement new second-generation firewalls that allow you to connect only at certain IP addresses, apply security policies to the second generation endpoints, and also disguise technology. The appearance of vulnerable devices in homes and the possible consequences of this trend are important reasons for educating employees about the risks.
It doesn’t matter how attackers pick passwords and answer secret questions: you can protect yourself with additional authentication. For example, use PINs and send codes by mail. Companies themselves must adapt to changes in the approach to the selection of passwords. This requires professionals who are aware of the risks of a new technology, and the constant updating of the software and hardware infrastructure (without bringing in new risks).
It is difficult to secure SCADA and industrial legacy control systems, because such systems are closeness to closeness in the absence of even basic cybersecurity mechanisms. At a minimum, companies must isolate them in their networks, closely monitor and regulate access to them. Industrial control systems have high availability requirements. This means that idle time with updates is not allowed. In an ideal world, such systems must be complemented by perfect protection and be isolated from the Internet.

As with repelling the “Fire Sale” attack, protecting IoT from DDoS attacks includes securing devices based on network hostility and securing the network based on the hostility of individual devices. This approach is consistent with the security model, implying zero confidence in minimum privileges.

Organizations can protect themselves from hackers using IoT botnets, tightening security on networks containing IoT devices. But for this it is necessary to thoroughly test the available tools, how effectively they protect. With the help of new technologies of masking it will be possible to detect intruders.

What to start doing?

The future of securing the Internet of Things is not bright, but not hopeless. Already now it is good to start taking the following steps:

• Regulators should penalize companies selling equipment with security issues until they withdraw and correct their products.
• Legislators should introduce laws requiring periodically returning the IoT device software to its original state. This will periodically get rid of the malware used to penetrate the network.
• Finally, a new hardware can use a limited range of IPv6 addresses, so that those who are under the attack of botnets, it would be easier to force their provider to reject all packets originating from IoT devices.